Security Issues for the Power Automation Industry in Central/South America. Juan Esteban Hoyos Pareja Timothy X. Brown Mark Dehus

Size: px

Start display at page:

Download "Security Issues for the Power Automation Industry in Central/South America. Juan Esteban Hoyos Pareja Timothy X. Brown Mark Dehus"

Jonas McDaniel
8 years ago
Views:

1 Security Issues for the Power Automation Industry in Central/South America 1 Juan Esteban Hoyos Pareja Timothy X. Brown Mark Dehus 1

2 2 A Practical Attack on Cyber-infrastructure University of Colorado Boulder 2

3 Content 1. INTRODUCTION 2. CRITICAL INFRASTRUCTURE PROTECTION History, Agencies, and Standards. Cybersecurity for IEC The Encryption & Message Authentication vs Latency 3. EXPLOITING THE GOOSE PROTOCOL Normal GOOSE Function Attack Vectors and Techniques Attack Consequences 4. BUILDING A PRACTICAL CYBER ATTACK Technical Details Building the Script The Results of the Attack 5. CONCLUSION 3 3

EXPLOITING THE GOOSE PROTOCOL Normal GOOSE Function Attack Vectors and Techniques Attack

4 INTRODUCTION: Digital Energy Program Graduate Education Program on utility communications infrastructure and security Smart Grid Applications Create system societal value 4 University of Colorado Boulder Computing Information Technology Facilitates timely decision making Communications Infrastructure Enables 2-way communications to entire supply chain Energy Infrastructure Physical structure distributes energy

Colorado Boulder Computing Information Technology Facilitates timely decision making Communications

5 INTRODUCTION: Digital Energy Program Master s Degree Telecom based-degree and includes essential cross disciplines subjects: Technology Business and economics Regulatory policy Energy Systems Communications ECN Networks ECN certificate Telecommunications Systems Data Communications I Energy Systems Energy Communications Networks 5 University of Colorado Boulder Previous calculus based physics required Apply the ECN certificate toward your master s degree - add another specialization. Power electronics Network architecture Wireless networks Computer and network security Project management

Communications Networks 5 University of Colorado Boulder Previous calculus based physics required Apply the ECN certificate toward your master s degree - add

6 INTRODUCTION 6 Mexico Honduras Guatemala Panama Colombia Energy Water Peru Brazil 6

7 CRITICAL INFRASTRUCTURE PROTECTION 7 History, Agencies, and Standards. 7

8 EXPLOITING THE GOOSE PROTOCOL Attack Consequences 8 8

9 INTRODUCTION 9 What is 61850? 9

10 INTRODUCTION 10 Process Data Trips, Alarms, interlocking Operational Data. Status Remote Control Metering Non Operational Data - Control of Losses - Asset Management Data - IEDs Management - Event Data Collection. 10

11 CRITICAL INFRASTRUCTURE PROTECTION MMS Status Measurements Layer 2 or peer to peer communications. GOOSE SMV Trip Interlocking Status Measurement for protective functions 11 11

12 CRITICAL INFRASTRUCTURE PROTECTION v1 Release 2003 Communication networks and systems in substations No security for GOOSE message, confined in a physical perimeter v2 Release 2008 Communication networks and systems for power utility automation

GOOSE message, confined in a physical perimeter 61850 v2 Release

13 CRITICAL INFRASTRUCTURE PROTECTION

14 CRITICAL INFRASTRUCTURE PROTECTION Cybersecurity for IEC Introduction to the standard 2. Glossary of terms 3. Security for any profiles including TCP/IP, 4. Security for any profiles (MMS, ICCP, IEC , ) 5. Security for any profiles including (IEC , DNP3) 6. Security for IEC peer to peer profiles 7. Security through network and system management 8. Role-based access control 9. Key Management 10. Security Architecture 11. Security for XML Files 14

Security for any profiles (MMS, ICCP, IEC 60870-5, ) 5. Security for any profiles including (IEC 60870-5, DNP3) 6.

15 CRITICAL INFRASTRUCTURE PROTECTION Cybersecurity for IEC THE ENCRYPTION & MESSAGE AUTHENTICATION VS LATENCY 15

16 CRITICAL INFRASTRUCTURE PROTECTION 16 The Encryption & Message Authentication vs Latency Transfer Time t = t a + t b + t c t a t b t c Fx Physical Relay Physical Relay Fx Physical device 1 Physical device 2 16

17 CRITICAL INFRASTRUCTURE PROTECTION 17 The Encryption & Message Authentication vs Latency Transfer Time t = t a + t b + t c t a t b t c Fx Communic ation Processor Communic ation Processor Fx Network Physical device 1 Physical device 2 17

b + t c t a t b t c Fx Communic ation Processor Communic

18 CRITICAL INFRASTRUCTURE PROTECTION 18 The Encryption & Message Authentication vs Latency Ethernet 18

19 CRITICAL INFRASTRUCTURE PROTECTION 19 The Encryption & Message Authentication vs Latency 4ms 19

20 CRITICAL INFRASTRUCTURE PROTECTION 20 The Encryption & Message Authentication vs Latency TIME TO GENERATE AND VERIFY A DIGITAL SIGNATURE ON A 1.0 GHZ PENTIUM III PROCESSOR FOR DIFFERENT SCHEMES 20

21 CRITICAL INFRASTRUCTURE PROTECTION 21 The Encryption & Message Authentication vs Latency NIST Special Publication A 21

22 CRITICAL INFRASTRUCTURE PROTECTION 22 Options Install faster processor in the IEDs Use processor with embedded security Use co-processors ASICs Use group-key and certificates Constrains IEDs enclosure, fan-less boxes to avoid dust and bugs Limited processor power Long life time of IEDs ~10 years Backward compatibility Who will handle the certificates Price-Benefits 22

23 CRITICAL INFRASTRUCTURE PROTECTION 23 23

24 24 EXPLOITING THE GOOSE PROTOCOL 24

25 EXPLOITING THE GOOSE PROTOCOL 25 Fx Network VPN IPSEC GRSP Fx Physical device 1 Physical device 2 End to End 25

26 EXPLOITING THE GOOSE PROTOCOL 26 26

27 EXPLOITING THE GOOSE PROTOCOL Normal GOOSE Function 27 Time of Transmission t 0 T (0) t 1 t 1 t 2 t 3 t 0 Event T 0 Retransmission in stable conditions (no events for long time) T (0) Retransmission in stable conditions may be shorter by event T 1 Shortest retransmission time after the event T 1 T 1 Retransmission time until achieving the stable condition time 27

28 EXPLOITING THE GOOSE PROTOCOL 28 Vulnerabilities 1. Computer software: 2. Communications links and networking: Communications channel penetration, Network sniffing, Hijacking, Spoofing and playback, Man-in-the-Middle attacks, Denial-of-Service attacks, Internet-related attacks 3. System Administration 4. On employees 5. Miscellaneous 28

29 EXPLOITING THE GOOSE PROTOCOL 29 Attack Vectors and Techniques 29

30 EXPLOITING THE GOOSE PROTOCOL 30 Motivations 30

31 EXPLOITING THE GOOSE PROTOCOL Attack Consequences 31 31

32 32 32

33 BUILDING A PRACTICAL CYBER ATTACK 33 Technical Details 1. Identify GOOSE messages in the network Ether-type, 0x88B8. 2. Decode the GOOSE message using the definition of ASN1 described in the IEC Look for three specific fields: stnum, sqnum, and the Boolean values inside the data sets 4. Change the data for any Boolean value inside the data-set, if the value is true the code overwrites a false and vice versa. 5. Generate the spoofed messages 6. Send them through the network with the same source and destination MAC address as the valid user. 33

34 BUILDING A PRACTICAL CYBER ATTACK 34 (2) Cisco 3600 Routers (1) RuggedCom 2100 (1) RuggedCom RS900 (1) Linksys wireless router (4) IEDs. (1) MacBook Air 1.5Ghz Intel core i5 34

35 BUILDING A PRACTICAL CYBER ATTACK 35 Building the Script Time of Transmission T (0) T (0) T (0) T (0) Attack 1s Valid messages 35

36 BUILDING A PRACTICAL CYBER ATTACK The Results of the Attack 36 6 Same MAC source

37 CONCLUSION 37 37

38 CONCLUSION 38 38

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Securing Modern Substations With an Open Standard Network Security Solution Kevin Leech Schweitzer Engineering Laboratories, Inc. Copyright SEL 2009 What Makes a Cyberattack Unique? While the resources